allow setting touch required and/or pin required for hmac-sha1

[daringer]

while creating a hmac-sha1 secret it should be possible to set the same constraints for get/list as for the other secret entries...

[daringer]

A suggested workaround was:

nitropy nk3 secrets update HmacSlot1 --touch-button true

An anonymous user reported:

I tried "--touch-button true" but it doesn't work...

[daringer]

more details from pynitrokey side:

nitropy nk3 secrets add-challenge-response 1 $(echo "iosdjoidsfjoiddsfjo" | base32)

# doesn't require touch:
nitropy nk3 secrets get-password HmacSlot1

# setting touch for the entry:
nitropy nk3 secrets update HmacSlot1 --touch-button true

# this works, and get-password requires touch now:
nitropy nk3 secrets get-password HmacSlot1

but using it through the api directly doesn't respect this setting, so this is actually an issue for nitrokey-3-firmware

[XSpielinbox]

I can confirm that when setting up a Nitrokey 3 with HMAC-SHA1 for my KeepassXC database, it does not honor the setting of touch-button.

I can change "touch-required" via the Nitrokey App 2 or nitropy cli and it correctly shows in both applications and secrets get-password behavior of the cli changes accordingly, but in any case it still unlocks my KeepassXC database without touching my key.

@daringer I could not find any related issue in nitrokey-3-firmware. Did you open one?

So what is the progress here? I would consider this a bug.

Is there any estimate when this will be fixed or any way one could help here?

[daringer]

there is one inside the respective app: Nitrokey/trussed-secrets-app#112 or better Nitrokey/trussed-secrets-app#108 - this is planned for the next iteration of the secrets-app